September 9°" 2020 
Sweden 


Ref: Feedback to Guidelines 08/2020 on the targeting of social media users and Guidelines 07/2020 on 
the concepts of controller and processor in the GDPR 


Dear European Data Protection Board, 


Appreciate your welcoming to feedback regarding the 2 topics on reference above. As a Privacy 
Professional primary involved HR talent management solutions and having been exposed to several 
discussions regarding both Privacy Shield invalidation and its impact on global operations of Human 
capital Globally, | would appreciate if you could consider the following: 


Please ensure where regarding Guidelines 08/2020 on the targeting Social media users: 


e That the scope is clear and precise not just in terms of social media, but where and if it these 
guidelines do not apply to other types of processing activities 

e The above extends to social media companies and their ‘other activities’ such as analytics, maps, 
authentication controls etc. Which can be used/linked for other legal and processing purposes. 

e |f you can provide guidance on the difference between social media for the public vs. socializing 
media for other Art. 6 GDPR lawful processing where consent is not involved (contract or 
interest of contract, legitimate need, ....) 


Please ensure where regarding Guidelines 07/2020 on the concepts of controller and processor: 


e Could you clarify what is considered appropriate risk or ‘additional measures’ as it pertains to 
processing activities and the interest of the subject. 

e Ifyou could provide some examples of processing for Cloud solutions, where laaS, PaaS and 
SaaS have completely different levels of processing due to the services being provided and 
extent of processing. Many laaS or PaaS do not require the vendor to process transactions of 
personal data, where as SaaS providers may need (via functions of the application layer) 
personal data to be processed in ways where the person needs to be identified and accounted 
for in each transaction. 

e Could there be clarification on Standard Contractual Clauses for processor to Sub-processor. 
With Enterprise internal applications in particular, there may be multiple technology partners 
jointly providing a service to the controlling organization, in the ‘chain-of-responsibility’ model, 
processor to sub-processors have never been formalized and further clarity or standardization 
would be beneficial to all data and non-data custodians. 


Your attention and ongoing efforts are very much appreciated. 
Best regards, 
Ty Winter 


Cloud Privacy Officer 
+46 7 683 426 11 
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